When trying to call an external web service Using PeopleSoft Integration broker, it is giving the following message
<Jul 23, 2019 6:47:30 PM EDT> <Notice> <Stdout> <BEA-000000> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)', RECV TLSv1.2 ALERT: fatal, bad_certificate>
in Integration Broker Gateway Server, You will see
HttpTargetConnector:ExternalSystemContactException Received fatal alert: bad_certificate
Message Set : 158, Message ID : 10721 IOException: The host couldn't be resolved.
To further debug, use the following options in setEnv,sh
JAVA_OPTIONS_LINUX="-server -Xms1024m -Xmx1024m -Dtuxedo.jolt.LLEDeprecationWarnLevel=NONE -Djavax.net.debug=all -XX:MaxPermSize=256m -Dtoplink.xml.platform=oracle.toplink.platform.xml.jaxp.JAXPPlatform -Dcom.sun.xml.namespace.QName.useCompatibleSerialVersionUID=1.0"
or
-Djavax.net.debug=ssl:handshake:verbose
Review this document
[Java SE] Training - How to Process javax.net.debug Diagnostic Output (Doc ID 2170565.1)
egrep -i "\* ClientHello|\* ServerHello|\* Certificate chain|\* CertificateRequest|\* ServerHelloDone|\* ClientKeyExchange|\* ServerKeyExchange|\* CertificateVerify|Change Cipher Spec|\* Finished|fatal|exception" outputfile
egrep -v "^[0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z]:" outputfile
Resolution
This issue is caused by an expired SSL Certificate (PrivateKeyEntry) entry in pskey keystore located at
$PS_CFG_HOME/webserv/peoplesoft/piaconfig/keystore
To list the entries
cd $PS_CFG_HOME/webserv/peoplesoft/piaconfig/keystore
ls -lrt
keytool -list -keystore pskey -storepass xxx -alias xxx -v
or to list every thing
keytool -list -keystore pskey -storepass xxx -v > output.txt
Review the output for expired entry.
This can also happen, if you have a PrivateKeyEntry that is signed by a Root CA which is not present in the target Web Service Provider keystore.
Solution: Delete the expired or invalid PrivateKeyentry and restart the webserver
keytool -delete -keystore pskey -storepass xxx -alias xxx
This has resolved the issue.
Other issue is that if you do not have RootCA of the target Web Service provider SSL Certificate in your keystore then you will need to import it in your keystore.
errorLog
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1972)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1089)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1325)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1352)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1336)
at psft.pt8.pshttp.https.HttpsClient.doConnect(HttpsClient.java:246)
at sun.net.NetworkClient.openServer(NetworkClient.java:136)
at psft.pt8.pshttp.https.HttpClient.openServer(HttpClient.java:543)
at psft.pt8.pshttp.https.HttpClient.<init>(HttpClient.java:364)
at psft.pt8.pshttp.https.HttpsClient.<init>(HttpsClient.java:76)
at psft.pt8.pshttp.https.HttpsClient.newClient(HttpsClient.java:132)
at psft.pt8.pshttp.https.HttpsClient.newClient(HttpsClient.java:100)
at psft.pt8.pshttp.https.HttpsURLConnection.connect(HttpsURLConnection.java:468)
at psft.pt8.pshttp.PSHttp.getResponseCode(PSHttp.java:423)
at com.peoplesoft.pt.integrationgateway.targetconnector.HttpTargetConnector.send(HttpTargetConnector.java:858)
at com.peoplesoft.pt.integrationgateway.service.BasicConnectorInvocator.execute(BasicConnectorInvocator.java:131)
at com.peoplesoft.pt.integrationgateway.framework.GatewayManager.invokeService(GatewayManager.java:148)
at com.peoplesoft.pt.integrationgateway.framework.GatewayManager.connect(GatewayManager.java:192)
at com.peoplesoft.pt.integrationgateway.listeningconnector.PeopleSoftListeningConnector.doPost(PeopleSoftListeningConnector.java:186)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:751)
at com.peoplesoft.pt.integrationgateway.listeningconnector.PeopleSoftListeningConnector.service(PeopleSoftListeningConnector.java:87)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:844)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:280)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:254)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:136)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:346)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:25)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)
at com.peoplesoft.pt.integrationgateway.common.IBFilter.doFilter(IBFilter.java:84)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3456)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3422)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:323)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:57)
at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2280)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2196)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1632)
at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:256)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:311)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:263)
PIA_stderr
com.peoplesoft.pt.integrationgateway.common.ExternalSystemContactException: HttpTargetConnector:ExternalSystemContactException Received fatal alert: bad_certificate
at com.peoplesoft.pt.integrationgateway.targetconnector.HttpTargetConnector.send(HttpTargetConnector.java:1296)
at com.peoplesoft.pt.integrationgateway.service.BasicConnectorInvocator.execute(BasicConnectorInvocator.java:131)
at com.peoplesoft.pt.integrationgateway.framework.GatewayManager.invokeService(GatewayManager.java:148)
at com.peoplesoft.pt.integrationgateway.framework.GatewayManager.connect(GatewayManager.java:192)
at com.peoplesoft.pt.integrationgateway.listeningconnector.PeopleSoftListeningConnector.doPost(PeopleSoftListeningConnector.java:186)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:751)
at com.peoplesoft.pt.integrationgateway.listeningconnector.PeopleSoftListeningConnector.service(PeopleSoftListeningConnector.java:87)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:844)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:280)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:254)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:136)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:346)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:25)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)
at com.peoplesoft.pt.integrationgateway.common.IBFilter.doFilter(IBFilter.java:84)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3456)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3422)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:323)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:57)
at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2280)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2196)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1632)
at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:256)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:311)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:263)
<Jul 23, 2019 6:47:30 PM EDT> <Notice> <Stdout> <BEA-000000> <[ACTIVE] ExecuteThread: '3' for queue: 'weblogic.kernel.Default (self-tuning)', RECV TLSv1.2 ALERT: fatal, bad_certificate>
in Integration Broker Gateway Server, You will see
HttpTargetConnector:ExternalSystemContactException Received fatal alert: bad_certificate
Message Set : 158, Message ID : 10721 IOException: The host couldn't be resolved.
To further debug, use the following options in setEnv,sh
JAVA_OPTIONS_LINUX="-server -Xms1024m -Xmx1024m -Dtuxedo.jolt.LLEDeprecationWarnLevel=NONE -Djavax.net.debug=all -XX:MaxPermSize=256m -Dtoplink.xml.platform=oracle.toplink.platform.xml.jaxp.JAXPPlatform -Dcom.sun.xml.namespace.QName.useCompatibleSerialVersionUID=1.0"
or
-Djavax.net.debug=ssl:handshake:verbose
Review this document
[Java SE] Training - How to Process javax.net.debug Diagnostic Output (Doc ID 2170565.1)
egrep -i "\* ClientHello|\* ServerHello|\* Certificate chain|\* CertificateRequest|\* ServerHelloDone|\* ClientKeyExchange|\* ServerKeyExchange|\* CertificateVerify|Change Cipher Spec|\* Finished|fatal|exception" outputfile
egrep -v "^[0-9A-Z][0-9A-Z][0-9A-Z][0-9A-Z]:" outputfile
Resolution
This issue is caused by an expired SSL Certificate (PrivateKeyEntry) entry in pskey keystore located at
$PS_CFG_HOME/webserv/peoplesoft/piaconfig/keystore
To list the entries
cd $PS_CFG_HOME/webserv/peoplesoft/piaconfig/keystore
ls -lrt
keytool -list -keystore pskey -storepass xxx -alias xxx -v
or to list every thing
keytool -list -keystore pskey -storepass xxx -v > output.txt
Review the output for expired entry.
This can also happen, if you have a PrivateKeyEntry that is signed by a Root CA which is not present in the target Web Service Provider keystore.
Solution: Delete the expired or invalid PrivateKeyentry and restart the webserver
keytool -delete -keystore pskey -storepass xxx -alias xxx
This has resolved the issue.
Other issue is that if you do not have RootCA of the target Web Service provider SSL Certificate in your keystore then you will need to import it in your keystore.
errorLog
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1972)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1089)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1325)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1352)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1336)
at psft.pt8.pshttp.https.HttpsClient.doConnect(HttpsClient.java:246)
at sun.net.NetworkClient.openServer(NetworkClient.java:136)
at psft.pt8.pshttp.https.HttpClient.openServer(HttpClient.java:543)
at psft.pt8.pshttp.https.HttpClient.<init>(HttpClient.java:364)
at psft.pt8.pshttp.https.HttpsClient.<init>(HttpsClient.java:76)
at psft.pt8.pshttp.https.HttpsClient.newClient(HttpsClient.java:132)
at psft.pt8.pshttp.https.HttpsClient.newClient(HttpsClient.java:100)
at psft.pt8.pshttp.https.HttpsURLConnection.connect(HttpsURLConnection.java:468)
at psft.pt8.pshttp.PSHttp.getResponseCode(PSHttp.java:423)
at com.peoplesoft.pt.integrationgateway.targetconnector.HttpTargetConnector.send(HttpTargetConnector.java:858)
at com.peoplesoft.pt.integrationgateway.service.BasicConnectorInvocator.execute(BasicConnectorInvocator.java:131)
at com.peoplesoft.pt.integrationgateway.framework.GatewayManager.invokeService(GatewayManager.java:148)
at com.peoplesoft.pt.integrationgateway.framework.GatewayManager.connect(GatewayManager.java:192)
at com.peoplesoft.pt.integrationgateway.listeningconnector.PeopleSoftListeningConnector.doPost(PeopleSoftListeningConnector.java:186)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:751)
at com.peoplesoft.pt.integrationgateway.listeningconnector.PeopleSoftListeningConnector.service(PeopleSoftListeningConnector.java:87)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:844)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:280)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:254)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:136)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:346)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:25)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)
at com.peoplesoft.pt.integrationgateway.common.IBFilter.doFilter(IBFilter.java:84)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3456)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3422)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:323)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:57)
at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2280)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2196)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1632)
at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:256)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:311)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:263)
PIA_stderr
com.peoplesoft.pt.integrationgateway.common.ExternalSystemContactException: HttpTargetConnector:ExternalSystemContactException Received fatal alert: bad_certificate
at com.peoplesoft.pt.integrationgateway.targetconnector.HttpTargetConnector.send(HttpTargetConnector.java:1296)
at com.peoplesoft.pt.integrationgateway.service.BasicConnectorInvocator.execute(BasicConnectorInvocator.java:131)
at com.peoplesoft.pt.integrationgateway.framework.GatewayManager.invokeService(GatewayManager.java:148)
at com.peoplesoft.pt.integrationgateway.framework.GatewayManager.connect(GatewayManager.java:192)
at com.peoplesoft.pt.integrationgateway.listeningconnector.PeopleSoftListeningConnector.doPost(PeopleSoftListeningConnector.java:186)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:751)
at com.peoplesoft.pt.integrationgateway.listeningconnector.PeopleSoftListeningConnector.service(PeopleSoftListeningConnector.java:87)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:844)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:280)
at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:254)
at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:136)
at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:346)
at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:25)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)
at com.peoplesoft.pt.integrationgateway.common.IBFilter.doFilter(IBFilter.java:84)
at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:79)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3456)
at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3422)
at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:323)
at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
at weblogic.servlet.provider.WlsSubjectHandle.run(WlsSubjectHandle.java:57)
at weblogic.servlet.internal.WebAppServletContext.doSecuredExecute(WebAppServletContext.java:2280)
at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2196)
at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2174)
at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1632)
at weblogic.servlet.provider.ContainerSupportProviderImpl$WlsRequestExecutor.run(ContainerSupportProviderImpl.java:256)
at weblogic.work.ExecuteThread.execute(ExecuteThread.java:311)
at weblogic.work.ExecuteThread.run(ExecuteThread.java:263)
